Is there a way for jenkins agent to restrict commands that is accepted from controller,

The need is in situations that controller is not totally trusted, or the server that agent is running on is also used for other purposes